Add TokenReview RBAC to support CSI addons security enhancements

Signed-off-by: Bipul Adhikari <badhikar@redhat.com>
ceph · Jan 15, 2025 · 41f7454 · 41f7454
1 parent d9caee9
commit 41f7454
Show file tree

Hide file tree

Showing 11 changed files with 135 additions and 0 deletions.
diff --git a/config/csi-rbac/cephfs_ctrlplugin_cluster_role.yaml b/config/csi-rbac/cephfs_ctrlplugin_cluster_role.yaml
@@ -63,3 +63,6 @@ rules:
   - apiGroups: [""]
     resources: ["serviceaccounts/token"]
     verbs: ["create"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/config/csi-rbac/cephfs_ctrlplugin_role.yaml b/config/csi-rbac/cephfs_ctrlplugin_role.yaml
@@ -18,3 +18,6 @@ rules:
   - apiGroups: ["apps"]
     resources: ["deployments/finalizers", "daemonsets/finalizers"]
     verbs: ["update"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/config/csi-rbac/cephfs_nodeplugin_cluster_role.yaml b/config/csi-rbac/cephfs_nodeplugin_cluster_role.yaml
@@ -19,3 +19,6 @@ rules:
 - apiGroups: [""]
   resources: ["serviceaccounts/token"]
   verbs: ["create"]
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
diff --git a/config/csi-rbac/nfs_ctrlplugin_cluster_role.yaml b/config/csi-rbac/nfs_ctrlplugin_cluster_role.yaml
@@ -49,3 +49,6 @@ rules:
   - apiGroups: ["storage.k8s.io"]
     resources: ["volumeattachments/status"]
     verbs: ["patch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/config/csi-rbac/nfs_nodeplugin_cluster_role.yaml b/config/csi-rbac/nfs_nodeplugin_cluster_role.yaml
@@ -9,3 +9,6 @@ rules:
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["get"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/config/csi-rbac/rbd_ctrlplugin_cluster_role.yaml b/config/csi-rbac/rbd_ctrlplugin_cluster_role.yaml
@@ -63,3 +63,6 @@ rules:
   - apiGroups: ["groupsnapshot.storage.k8s.io"]
     resources: ["volumegroupsnapshotcontents/status"]
     verbs: ["update", "patch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/config/csi-rbac/rbd_ctrlplugin_role.yaml b/config/csi-rbac/rbd_ctrlplugin_role.yaml
@@ -18,3 +18,6 @@ rules:
   - apiGroups: ["apps"]
     resources: ["deployments/finalizers", "daemonsets/finalizers"]
     verbs: ["update"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/config/csi-rbac/rbd_nodeplugin_cluster_role.yaml b/config/csi-rbac/rbd_nodeplugin_cluster_role.yaml
@@ -24,3 +24,6 @@ rules:
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["get"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/config/csi-rbac/rbd_nodeplugin_role.yaml b/config/csi-rbac/rbd_nodeplugin_role.yaml
@@ -15,3 +15,6 @@ rules:
   - apiGroups: ["apps"]
     resources: ["deployments/finalizers", "daemonsets/finalizers"]
     verbs: ["update"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/deploy/all-in-one/install.yaml b/deploy/all-in-one/install.yaml
@@ -14120,6 +14120,12 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -14207,6 +14213,12 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -14242,6 +14254,12 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -14457,6 +14475,12 @@ rules:
   - serviceaccounts/token
   verbs:
   - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -14493,6 +14517,12 @@ rules:
   - serviceaccounts/token
   verbs:
   - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -14951,6 +14981,12 @@ rules:
   - volumeattachments/status
   verbs:
   - patch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -14963,6 +14999,12 @@ rules:
   - nodes
   verbs:
   - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -15200,6 +15242,12 @@ rules:
   verbs:
   - update
   - patch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -15251,6 +15299,12 @@ rules:
   - nodes
   verbs:
   - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

diff --git a/deploy/multifile/csi-rbac.yaml b/deploy/multifile/csi-rbac.yaml
@@ -79,6 +79,12 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -125,6 +131,12 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -160,6 +172,12 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -325,6 +343,12 @@ rules:
   - serviceaccounts/token
   verbs:
   - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -361,6 +385,12 @@ rules:
   - serviceaccounts/token
   verbs:
   - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -494,6 +524,12 @@ rules:
   - volumeattachments/status
   verbs:
   - patch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -506,6 +542,12 @@ rules:
   - nodes
   verbs:
   - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -672,6 +714,12 @@ rules:
   verbs:
   - update
   - patch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -723,6 +771,12 @@ rules:
   - nodes
   verbs:
   - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding